Coronavirus, spam texts, US dentists and Russians…

The UK government teamed up with mobile networks to send out mass text messages warning people to stay indoors during the coronavirus pandemic.

This meant an entire population was primed to receive government messages via text, which as some have pointed out, is not a very secure way of communicating.

In the wake of the legitimate government messages, there was a spate of malicious texts using various lures to trick users into visiting websites where their personal and financial information would be harvested, presumably so it could be used by hackers.

One of the malicious texts was tweeted by London’s Metropolitan Police:

(For the non-techie reader: the best way to read web addresses like these is to find the “Top Level Domain” – in this case it’s .com but it can also be .co.uk, .org, and so on – and then work backwards. Look at the chunk of text immediately before it, and you’ll understand the website you’ll actually be visiting if you click – in this case, it’s estrodev [dot] com. Everything before that – in this case, the bit that says hmrc-cov19 [dot] payment – are simply words that can be specified by whoever owns the website. So if you click on the link above, you’ll be visiting a page on the website estrodev [dot] com, NOT an HMRC site).

It turns out this wasn’t the only coronavirus spam site on estrodev [dot] com. Twitter user Oliver Hough sent me a link showing a bunch of other coronavirus-payment-themed websites set up under the estrodev [dot] com umbrella, all created on March 20th.

Whoever controls estrodev [dot] com has been setting up what appear to be scam sites targeting UK citizens.

Another page on the estrodev [dot] com site was titled chrisestro, and a Christian Estrellado is listed as a Managing Partner of Estro Digital whose photo matches the Facebook profile of Chris Estro who apparently manages a dental surgery in New Jersey.

(I contacted Mr Estro for comment, but have not yet received a reply. I will update this page as and when I get a response).

So, is a dental marketeer in the eastern US spamming Brits to trick them into surrendering sensitive info? Possibly not.

Looking back at the estrodev [dot] com website, it appears to have been a gathering place for a bunch of website building projects, and Christian Estrellado lists web development among the skills on his LinkedIn page.

According to one Reddit user, some of the websites apparently developed under the estrodev name had been built or maintained using the blogging site WordPress. It’s a very common technique: the public-facing side of the site may look bespoke, but behind the scenes they’re using generic WordPress software to update and change the site.

Problem is, because it’s such a popular tool, hackers are continually hunting for flaws that allow them to hijack WordPress controls and take over sites.

Reddit user aguywithathing claims some of estrodev’s WordPress tools were vulnerable to such flaws, which could have allowed a hacker to break in. It’s also possible that whoever was running the estrodev sites used a weak password, which might also have allowed the attackers access. Another possibility is that, if Chris Estro previously controlled the site, he let his subscription lapse, and the site was bought by someone else.

Whatever the explanation, while the public-facing side of the estrodev [dot] com website appeared be dormant for years, behind the scenes the site was still live, and used to create dozens of coronavirus scam sub-sites to capitalise on the UK government’s messages.

So… if estrodev [dot] com was hacked, who did it?

Again, Reddit user aguywithathing posts some interesting info. Visitors to some of the scam sites are redirected to a different website – in all likelihood, it’s on this website that they are asked to enter the sensitive information the hackers want to get their hands on.

I’ve included the redirect address below as an image, because I don’t particularly want to link to it (and I haven’t yet plucked up courage to visit it myself) but starts with google [dot] ru, leading to the (perhaps unsurprising) conclusion that the scammers who hacked into a New Jersey dental marketeers infrastructure, created a network of scam websites, then spammed many British mobile users, hail from the Russian Federation.

Of course, that leaves a string of unanswered questions: what happens to the sensitive information if people are tricked into handing it over? How did the hackers send out a plethora of text messages to UK phones. Did they do it in other countries? And perhaps most importantly, where did they get our mobile phone numbers from?